As the proliferation of smartphones and mobile applications grinds ever onward, the Federal Trade Commission (FTC) has tightened up its rules and recommendations for players at every stage of the smartphone app game.

In a staff report entitled “Mobile Privacy Disclosures: Building Trust Through Transparency,” the FTC makes myriad recommendations aimed at better securing consumers’ personal information. The report considers four different groups involved in mobile phone applications: platforms or operating system providers (Google would be an example), app developers, advertising networks and other third parties, and app developer trade associations. Banks that offer mobile banking apps would fall under the umbrella of app developers.

Banks, of course, are already extremely strict about keeping their customers’ personal information secure. And the FTC doesn’t exactly have jurisdiction over mobile banking apps.

“The FTC is not the banking industry’s regulator,” Holly Towle, a partner at K&L Gates, points out. “Banks typically have strict privacy, but that’s because they are governed by the Gramm-Leach-Bliley Act, and that is implemented by the banking regulators.”

Marc DeCastro, research director at IDC Financial Insights, tends to agree: “I would think that most of the FTC weight will be more towards the carriers, the AT&Ts, the Verizons, the Sprints. The banks have their own set of regulators.”

FTC Recommendations

Still, the report does contain some useful advice.

First, the FTC recommends that app developers have a privacy policy and make it easily accessible through the app store.

Lengthy and labyrinthine privacy disclosures are hardly unique to the banking industry, of course. But Towle says that is essentially because businesses want to avoid appearing deceptive if they say too little.

“At first, they were fairly short,” she said. “The businesses writing them thought they were just supposed to kind of indicate what their privacy policy was, and they did.”

“I think it’s the disclosure language that’s important. And you’ve also got a really small screen. I’ll make the argument that these disclosures are so complicated and lengthy that nobody reads them and nobody knows what’s going on,” DeCastro said.

Next, the FTC recommends app developers provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information.

What exactly is a just-in-time disclosure? Well, for instance, if you were about to enter your birth date into an app, a just-in-time disclosure might pop up and tell you how else that app could use that information, say, to send you an offer the week before your birthday.

“My theory is that they’re very difficult to do without creating a perhaps even greater risk of deception. It’s difficult to decide what you need to say and then say enough,” DeCastro said.

Just-in-time disclosures might also alert consumers to when their location is being tracked and how that data is used.

And while some consumers might be creeped out by an app that knows where you are, DeCastro says that location tracking can have some considerable upsides in mobile banking apps.

For example, it can help a customer find a branch or ATM – or prevent fraud. If you’ve spent any time at all on Facebook, you’ve undoubtedly seen at least one status update warning government entities that they do not have permission to view the updater’s profile, or declaring that the updater’s pictures and personal details, for example, are copyrighted. (None of these are legally binding, by the way.)

But DeCastro, whose specialty is customer-centric banking strategies, says that your average consumer is actually a little too trusting when it comes to mobile phone apps.

“I think when it comes to mobile apps, people are very trusting right now because they feel that they don’t have that much personal information on it and there’s not that much harm that can happen,” he said. “And quite honestly, we’re still in the infancy of exploring mobile devices. I think as we see more and more attacks on people’s personal devices, you’ll see people getting more selective with their applications and who they open themselves up to.”

Third, the FTC recommends that businesses improve coordination with third parties that provide services so that developers can provide better disclosures to their customers. Towle sees that as a particular challenge.

“It’s a complex chain and though the FTC is correct that the whole chain needs to work together,the legal, practical, and financial structure isn’t in place yet,” she said.

Finally, the FTC recommends businesses consider participating in self-regulatory programs, trade associations and industry organizations, for guidance on writing short, uniform privacy disclosures.

Of course, there’s one other little matter to consider.

“These are not regulations, they’re best practices,” Towle says.

But nonetheless, “the reality is that the FTC is out at the forefront of helping institution adapt privacy and security rules relevant to mobile. So I think it’s relevant to everyone,” she said.

DeCastro summed it up neatly, “I think they’re good rules of thumb, but I don’t think the bankers should be too worried.”

Email: lalix@thewarrengroup.com